Why Higher Education Needs to Build IT as Well as Cyber Resilience
Table Of Contents:
As guardians of highly sensitive personal information and world-class research, the UK’s higher education (HE) institutions are popular targets for cybercriminals and nation-states alike. That should put cyber-resilience right at the top of the priority list for CISOs in the industry. But as the recent CrowdStrike outage highlighted, the HE sector should be prepared for more than just threat actors.
Cyber-resilience is an integral part of business continuity, but there are other risks to the information that HE institutions manage and the services they deliver that must also be managed. Fortunately, ISO 27001 can also help by safeguarding information systems’ availability, confidentiality, and integrity in the event of an unexpected disruption.
What Happened?
Described as possibly the world’s worst IT outage, the CrowdStrike incident stemmed from a faulty update to the firm’s Falcon endpoint security tool, causing widespread problems with Microsoft Windows computers running the software. Although less than 1% of global Windows endpoints were impacted, this equated to over eight million machines – many of which operated critical services in hospitals, airlines and HE institutions.
According to reports, services at UK HE institutions, including Manchester, East Anglia, Oxford Brookes, Lancaster, and Aston universities, were impacted by the outage. Many others across the Atlantic were also affected, with student portals taken down and some forced to close summer classes. If a similar incident had happened during term time, the disruption may have been much worse.
Building Resilience
UK universities have been on the back foot against threat actors for some time. According to the government, 97% of HE institutions identified a breach or cyber-attack in the past year, with six in 10 claiming they had been negatively impacted by it. A combination of complex distributed networks and large numbers of staff and students who require open internet access makes for an expansive attack surface to defend. Ransomware, phishing, state-backed data theft and info-stealing scams are prevalent. And persistent financial pressures make it difficult for CISOs to prioritise where spending should be focused.
Yet experts believe the CrowdStrike incident should be a catalyst for a broader discussion of IT resilience that goes beyond preventing, detecting, and responding to malicious cyber incidents. According to Chris Gilmour, CTO of IT managed services firm Axians UK, planning for such events should come alongside the usual cyber-hygiene staples of patching, multi-factor authentication (MFA), and restricting network access.
“Regular testing of disaster recovery plans and contingency planning for ‘left field’ challenges is essential to ensure that they are effective in the event of a crisis,” he tells ISMS.online. “It’s also incredibly important to foster a culture of security awareness among staff and students that can help prevent breaches and mitigate their impact.”
Trend Micro UK &I technical director Bharat Mistry adds that HE business continuity plans should cover IT, communication, data access and teaching.
“These plans should identify critical functions and systems, outline clear procedures for maintaining essential operations during disruptions, and define roles and responsibilities for emergency response teams, including communication protocols for stakeholders,” he tells ISMS.online.
“Frequent drills and simulations should also be carried out to test business continuity plans and identify weaknesses. This helps ensure staff are prepared to respond effectively during real incidents.”
Technology and security leaders in HE should also consider the IT infrastructure they use. Mistry recommends cloud-based solutions to ensure accessibility, load balancing, and failover to maintain service availability, as well as hybrid cloud architectures to spread the risk across multiple environments.
“Avoid over-reliance on a single vendor or system. Implementing redundant systems and diversifying critical services can help maintain operations if one system fails,” he adds. “This includes using multiple cybersecurity solutions from different vendors, maintaining offline backups of critical data and systems, and implementing redundant network connections and power supplies.”
Both Gilmour and Mistry also advocate post-incident postmortems to ensure IT teams learn the lessons of serious security breaches and outages. These can help provide “a thorough analysis of incidents, uncovering root causes and highlighting areas for process improvement” and foster “a culture of accountability and continuous learning across the organisation,” says Mistry.
ISO 27001 and Beyond
The question is: where to start? ISO 27001 and Cyber Essentials are well known to many IT and security leaders as ways to improve baseline cyber and information security. But while the latter focuses on technical controls for internet-facing systems to minimise cyber risk, ISO 27001 arguably offers more that can also be tied into business continuity/disaster recovery planning.
This includes key areas such as:
- Vendor risk management
- Incident response
- Communication with internal and external stakeholders/customers
- Software testing
- Employee training
Using ISO 27001 as a starting point, HE organisations could build cyber-resilience while setting the groundwork for a more comprehensive approach to broader IT resilience.
“By adopting these standards, universities can establish a systematic approach to risk management, incident response and data protection. These frameworks offer a comprehensive set of best practices that can help organisations identify and address vulnerabilities, enhance their resilience, and comply with regulatory requirements,” says Axians UK’s Gilmour.
“Adopting and implementing the processes and policies of these standards means universities can significantly improve their cybersecurity posture and protect their sensitive data and operations.”
Trend Micro’s Mistry adds that many organisations start with Cyber Essentials and then build on it with the “more comprehensive” ISO 27001 standard to improve security and resilience further.
“Frameworks like ISO 27001 and Cyber Essentials play crucial roles in building IT and cyber resilience, offering organisations a structured path to enhance their security practices,” he concludes. “By leveraging these frameworks, organisations can systematically improve their ability to prevent, detect, respond to, and recover from cyber-incidents, ultimately strengthening their overall cyber-resilience posture.”